codex-shell: bump CLI versions + disable autoupdate + skip-permissions#24
Merged
Merged
Conversation
Three coupled changes that together make the agent containers boot
into a usable, current-version state without manual intervention.
1. Bump pinned CLI versions to current npm latest:
CLAUDE_CODE_VERSION: 2.1.133 → 2.1.139
OPENAI_CODEX_VERSION: 0.129.0 → 0.130.0
This is what runtime auto-update was trying (and failing) to do.
Letting Renovate own ongoing bumps via PRs matches the rest of
the codex-shell pinning model.
2. ENV DISABLE_AUTOUPDATER=true. Runtime auto-update can't succeed
inside the container anyway — npm rename within /usr/bin/ requires
root, and the agent user is uid 10001. The chown patch (PR #23)
covered /usr/lib/node_modules/@Anthropic-AI and the symlink itself
but couldn't cover write-perms on the /usr/bin/ parent. With the
ARG-pinned versions, suppressing the updater removes a noisy TUI
banner without losing any actual version-update capability.
3. Add --dangerously-skip-permissions to the claude launch command.
Without this, every restart drops the agent back into per-tool
approval mode and unattended task execution stalls waiting for a
human. The pod IS the sandbox boundary; the per-tool approval
gate isn't load-bearing inside it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
|
Retroactive Codex review: blessed after merge. The diff is limited to pinned CLI version bumps, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three coupled changes that together get the agent containers booting into a current-version, no-banner, no-per-tool-prompt state without manual intervention.
CLAUDE_CODE_VERSION: 2.1.133 → 2.1.139OPENAI_CODEX_VERSION: 0.129.0 → 0.130.0ENV DISABLE_AUTOUPDATER=true— suppresses the noisy TUI banner. Runtime auto-update can't succeed anyway (npm rename within/usr/bin/requires root); image-time pinning + Renovate PRs are the actual update path.--dangerously-skip-permissionsto the claude launch inbin/entrypoint.sh. Pod is the sandbox; per-tool prompts inside it break unattended task execution.Test plan
claude --versionis 2.1.139, no per-tool approval prompts during normal session🤖 Generated with Claude Code